Closed ikegentz closed 1 year ago
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
For reference, I am able to get this module working by re-writing it in the following way:
main.tf
resource "google_service_account_iam_member" "roles" {
for_each = toset(var.roles)
service_account_id = var.grantor_sa_full_name
member = "serviceAccount:${var.grantee_sa_email}"
role = each.key
}
variables.tf
variable "grantor_sa_full_name" {
type = string
description = "Full name (format: 'projects/<project_id>/serviceAccounts/<sa_email>) for the SA on which we want to grant the permissions FROM"
}
variable "grantee_sa_email" {
type = string
description = "Email for the SA on which we want to grant the permissions TO"
}
variable "roles" {
type = list(string)
description = "Roles which we want to grant to the grantee, onto grantor"
}
outputs.tf
output "grantee" {
value = var.grantee_sa_email
}
output "grantor" {
value = var.grantor_sa_full_name
}
output "roles" {
value = var.roles
}
hey @ikegentz - I'm not able to reproduce the problem you've mentioned here. The identities e.g. user/group/sa are added as members with the associated roles to the SAs passed into the service_accounts
list. I've confirmed it by running:
gcloud iam service-accounts get-iam-policy <resource_sa_email>
Can you share your config here so we can try and reproduce what you're experience with the module?
@g-awmalik Now I'm unable to reproduce this either. Must have been something fixed in a new version or user error. Setting bindings
, serviceAccounts
, mode
, and project
everything appears to be working as intended.
TL;DR
Other IAM modules work great, but no matter what arguments I pass to the
service_accounts_iam
module, it does not do anything. I can pass no arguments, complete gibberish, or something valid, but this module always returns empty lists/maps and doesn't create any resources. It seems to just use the default values no matter what is passed to it.Expected behavior
google_service_account_iam_member resources to be created per the arguments passed.
Observed behavior
Nothing happens. No state is created, no resources are created, outputs always return as:
Terraform Configuration
Additional information
I am using Terragrunt. This has been working great with all of the other IAM modules. I have tried with several different version of Terragrunt/Terraform, all yielding the same results.
I am attempting to grant a service account (
my_service_account_A
) inprojectA
, permissions on another service account (my_service_account_B
) inprojectB
. Therefore I have tried setting theproject
variable to either project, and also leaving it blank/unspecified. Does not seem to affect the output.I can pass in arguments that aren't specified as variables to the module, and still get the same result. e.g.
I would expect an error from such inputs